(U) The most susceptible systems to ransomware attacks are personal computers and Internet-facing servers, in particular, those utilizing common, but outdated operating systems or security.

(U) OCIA assesses that the Healthcare and Public Health Sector is one of the most prevalent targets of ransomware because of its reliance on immediate access to patient records.

(U//FOUO) OCIA assesses that if specific industrial control systems (ICS) were successfully infected with ransomware, it could affect the ability of certain sectors to provide real-time management and control of large networks of geographically scattered equipment. Although security researchers have demonstrated the possibility of ransomware targeting control systems, OCIA assesses that such an attack is highly unlikely given the higher success rate against consumer and business systems, the likelihood that business and process control networks are segmented, and the ability for operators to take a control system out of service and employ manual overrides.

…

(U) Malicious Cyber Actors use Ransomware to Target Users and Organizations Most Likely to Pay

(U) Malicious actors who employ ransomware are often focused on a very narrow goal, making money. Unlike other malicious actors whose goal is to steal or disrupt data integrity, those who employ ransomware are often focused on preventing user access to their data or systems. OCIA assesses that because data theft is not the ultimate goal, malicious actors using ransomware overwhelmingly seek out users or organizations that might pay the ransom. Malicious actors only need a few users out of numerous targets to pay in order for a ransomware campaign to be worthwhile. A recent report highlighted that the average ransom demand in 2016 had risen to $1,077, up from an average of $294 dollars in 2015.

(U) Ransomware often targets a range of organizations that require immediate access to their systems and their data to operate. The 2016 Verizon Data Breach Report found that the top three industries targeted by ransomware were Public Administration, Healthcare, and Financial Services.

(U) The number of ransomware attacks has increased year after year. Symantec found detections of ransomware against customers it protects increased from 340,000 in 2015 to 463,000 in 2016. Kasperky Lab found that between 2014-15 and 2015-16 the number of ransomware attacks targeting its customers had increased five times (131,111 to 718,536). Malicious actors are not limited to randomly targeting organizations with ransomware. Openly available Personally Identifiable Information (PII) allows actors to identify targets and potentially design a more believable email message (with a ransomware executable) that the user is more likely to open. In November 2016, a ransomware email phishing campaign targeted thousands of government workers who had information exposed during the 2015 Office of Personal Management’s breach of PII.

,,,

(U) Disruptive ICS Attacks with Ransomware are Possible, but Unlikely

(U//FOUO) OCIA assesses that if ICS were successfully infected with ransomware, it could affect the ability of operators to provide real-time management and control of large networks of geographically scattered equipment, and destabilize assets resulting in a loss of operator control and potential damage or destruction of critical operational equipment. Researchers from Georgia Tech created a proof-of-concept ransomware strain named LogicLocker that can alter programmable logic controller (PLC) parameters. Although security researchers have demonstrated the possibility of ransomware targeting control systems, OCIA assesses that such an attack is highly unlikely given the higher success rate against consumer and business systems, the likelihood that business and process control networks are segmented, and the ability for operators to take a control system out of service and employ manual overrides.